Search This Blog

Showing posts with label Private Sectors. Show all posts

NIST Seeking Feedback for a New Cybersecurity Framework and Supply Chain Guidance

 

Addressing the SolarWinds disaster and other major third-party assaults targeting vital infrastructure, the National Institute of Standards and Technology is due to publish advice for securing organizations against supply chain breaches. [Special Publication 800-161] is the most important cybersecurity supply chain risk management guidance.' Angela Smith of the National Institute of Standards and Technology (NIST) stated. 

Angela Smith of the NIST talked at an Atlantic Council session on Tuesday about initiatives to protect information and communications technology supply chains. The first big revised version will be released by the end of next week, so stay tuned if you haven't already reviewed some of the public drafts. 

The NIST upgrade comes as the Biden administration tries to use the government's procurement power to prod contractors such as IT management firm SolarWinds and other software vendors to improve the security of their environments. 

Vendors of the underlying information and communications technology are pitching in and the Cybersecurity and Infrastructure Security Agency consider expanding private-sector partnerships and taking a more comprehensive approach to tackling dangers to critical infrastructure. 

Future guidelines on trying to manage cybersecurity risks that emerge through the supply chain, according to Smith, would focus more on actions for providers along the chain to address, in addition to the upcoming change. The current literature on the subject has been centered on the organizations' responsibilities for integrating supply-chain aspects into existing surroundings. 

The previous draft version, R2, which was released in October 2021, had a new appendix, Appendix F, which gave implementation assistance for Executive Order 14028 to government agencies. Following NIST's February 4, 2022, Secure Software Development Framework (SSDF) Recommendations, the SP 800-161 release scheduled for next week is likely to deliver more EO 14028 guidance.

The CSF was last updated by NIST in 2018. "There is no single reason causing this transition, This is a scheduled upgrade to keep the CSF current and consistent with other regularly used tools," said Kevin Stine, Chief Cybersecurity Advisor at the NIST. NIST is seeking public input on three primary topics to help guide the revision: revisions to the CSF itself, relationships and alignment between the CSF and other resources, and approaches to improve supply chain cybersecurity. President Barack Obama directed NIST to develop the CSF and directed federal agencies to use it, as well as advising the private sector to do so.

NIST should give a definition for an agency to "use" the framework, and agencies should furnish NIST with cybersecurity risk documents developed and used to comply with this requirement. For enterprises that are utilizing or considering adopting the NIST Cybersecurity Framework, seeing how it is used by US government entities would be extremely beneficial.

Cyber Threat U.S. Spy Agency Collaborates with Private Sector to Counter Threat

 

The U.S. National Security Agency, which is renowned globally for its secrecy, on Tuesday opened its arms to the private sector with the aim of strengthening relations and learning about hacking campaigns from the U.S. firms that are repeatedly targeted by hacking groups. 

"I think it is really important for NSA to take a stance where we are engaging and figuring out how to make the environment more secure and everyone is learning from the lessons of the past," he said at a media roundtable,” said NSA Director of Cybersecurity Rob Joyce.

The U.S. law denies NSA from accessing American computer networks, so the agency hopes that increasing partnerships with defense, technology, and telecommunications companies will provide insights the agency can’t get on its own, he further added. However, he denied disclosing the name of the companies the NSA is working with and didn’t expand on what information private companies would share with the agency. 

The NSA’s publicity tour comes after a series of high-profile hacks over the last year, including a massive cyberattack that penetrated numerous federal agencies and another that crippled a major U.S. gas pipeline. 

The center, which started in January 2020, is unique in the NSA's history because it is located in a nondescript office park in suburban Maryland next to defense contractors, including Northrop Grumman Corp., Raytheon Technologies Corp., and General Dynamics Corp., and is across the street from NSA headquarters. But the center doesn’t have the same barbed wire fencing and armed guards as the NSA. 

U.S. officials admitted the lack of total visibility on the cyber threat due to legal restrictions that prevent the NSA and other federal spy agencies from collecting data on domestic computer networks. Foreign hackers know about the controls, former U.S. officials say, so they often stage attacks on U.S. based servers. 

"U.S. companies will also be benefitted from the NSA's vast experience and analytical capability. Cybersecurity is a team sport and NSA is really just stepping up to play its position. Providing services to the defense industrial base and national security systems and a large U.S. market share is what we focus on from a selection criteria," said Morgan Adamski, chief of the center.